WebApi Proxy throwing 404 for URLs with invalid chars

Question

I'm using C# .NET WebApi to create an API proxy, here is basic code that I have that works fine for most calls:

[HttpGet]
[Route("api/proxy/{*.}")]
public async Task<HttpResponseMessage> Get()
{
   // some route here...
}

But when I have a URL with special chars, like : (%3F) or / (%2F) it fails with 404. If I remove the special chars, it works.

http://localhost:3000/api/proxy/viewing/v1/items/urn%3Aadsk.viewing%3Afs.file%3AdXJuOmVUE_dmVyc2lvbj0x%2Foutput%2Fd4b6ef1c-8d219bd84c9d%2F0.pf?domain=http%3A%2F%2Flocalhost%3A3000

And tried a few suggestions on web.config, but nothing:

<system.web>
  <httpRuntime targetFramework="4.6" requestPathInvalidCharacters=""/>
  <pages validateRequest="false" />
</system.web>

All other WebApi endpoints are working with a Global.asax like this:

public class Global : System.Web.HttpApplication
{
  protected void Application_Start(object sender, EventArgs e)
  {
    GlobalConfiguration.Configure(Config.WebApiConfig.Register);
  }
}

And the Config.WebApiConfig:

public class WebApiConfig
{
  public static void Register(HttpConfiguration config)
  {
    config.MapHttpAttributeRoutes();
  }
}

Answer 1

According to the answer MVC WEB API routing fails when url contains encoded ampersand you need to remove characters that you consider valid from requestPathInvalidCharacters property of httpruntime:

<httpruntime requestvalidationmode="2.0">
             requestPathInvalidCharacters="*,:,&amp;,\"
             relaxedUrlToFileSystemMapping="true" />

But it is much more safe to pass those parameters as query string.

EDIT:

I have tested url form your question http://localhost:3000/proxy/target/v1/urn%3Aparam%2Foutpu?domain=http%3A%2F%2Flocalhost%3A3000 and it works by simply allowing % character. So you need to list allowed characters there in the requestPathInvalidCharacters property, i.g: %,&,*,\. My current config is:

<httpRuntime targetFramework="4.6.1" requestPathInvalidCharacters="%" />

EDIT 2:

I have made some more research and found an answer to ASP.net MVC4 WebApi route with file-name in it. Simple solution is to add runAllManagedModulesForAllRequests property to modules section in web config. If you check accepted answer you can try to fine-tune the solution to reduce the impact of running all managed modules.

To conclude, you need to modify following sections. I have removed only : from default value of requestPathInvalidCharacters, which applies to already decoded URL and has nothing to with % characters in encoded URL:

<system.web>
  <httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,&amp;,\,?"/>
</system.web>

<system.webServer>
  <modules runAllManagedModulesForAllRequests="true">
  ...
  </modules>
</system.webServer>

Answer 2

Try this 2 changes in web.config.

<system.web>
   <httpRuntime targetFramework="4.6" requestPathInvalidCharacters=""/>
</system.web>
...
<system.webServer>
<handlers>
  ...
  <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*" verb="*" type="System.Web.Handlers.TransferRequestHandler"
    preCondition="integratedMode,runtimeVersionv4.0"/>
</handlers>

Note: I set an empty list in requestPathInvalidCharacters and change the path filter in the handler to "*".